Implementation of new EU data protection rules challenging
Companies are nevertheless busy preparing for the new rules.
The failure of the National Assembly to pass the bill could cause some difficulties, Information Commissioner Mojca Prelesnik has told the STA.
The government had asked parliament to fast-track the bill so that it would take effect before 25 May, but the college of deputy group leaders decided in mid-April that the bill of such complexity and sensitivity required a regular procedure, which means that it will not be passed before the 3 June general election.
According to Prelesnik, only a few EU countries - Germany, Austria, Slovakia and France - have adopted their own national data protection legislation before the new EU rules and some, including Croatia, are still working on it.
In Slovenia, the EU rules will enter into force without a prior legal framework, so certain legal unclarity is expected, Prelesnik said.
This means that two legal documents will apply, the GDPR and the old law on data protection, which in many ways collides with the new European regulation. "In such cases, the European regulation will of course prevail," the information commissioner said.
The new EU regulation gives individuals more control over the use of their personal data. It gives them the right to access their personal data and information about how this data is processed, the right of erasure, and it allows the transfer of personal data from one electronic processing system to another.
A novelty for Slovenia will be data protection officer, who however will not have to be appointed at every company but only those that process large amounts of sensitive personal data or whose core activity is processing such data, meaning banks, insurers, communication companies and retailers with loyalty programmes.
Some of these companies already have a person in charge of data protection and most of them told the STA they expected no major difficulties, because they had already given due attention to personal data protection so far.
But they plan to further improve their systems in line with the new EU regulation.
Banks are mostly concerned about the lack of a one-year transitional period which was envisaged by the Slovenian bill for the obtaining of new consents for processing data.
Telecommunication companies expect their users to be unhappy when they receive such a large amount of requests for consents. T-2 and A1 said that adjustments to the new Slovenian law, once it is passed, could again affect their business operations and cause additional costs.
Insurer Adriatic Slovenica welcomed the additional internal adjustments regarding the collection and processing of clients' data, saying that they would make these processes more transparent.
Tourism companies are also intensively preparing for the changes, with travel agency Kompas thinking of new marketing approaches, because it expects many users will not give their consent to receiving ads.
Retailers with loyalty programmes are in for some adjustments too. They expect that aside from obtaining customers' consent, the tracing of personal data processing to be the most difficult and technically challenging obligation.
They expect this to be a very long process, as less than half of individuals open their mail, according to their information. People are also not acquainted with the topic and many may simply ignore the efforts of companies to comply with the new rules, Mercator said.